﻿<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

	<head>
		<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
		<title>Permission Management - 权限管理</title>
		<link type="text/css" rel="stylesheet" href="../bootstrap.min.css" />
	</head>

	<body>

		<div class="bs-callout bs-callout-warning">
			<h4>About Authorization - 关于授权</h4>
			<p>It's strongly suggested to read <a href="/Pages/Documents/Authorization">
	authorization documentation</a> before this document.</p>
			<p class="translation">强烈建议查看此文档前阅读<a href="../Authorization">授权文档</a>。</p>
		</div>

		<div class="document-contents">

			<h3>Introduction - 介绍</h3>
			<p>Module-zero implements <strong>IPermissionChecker</strong> interface of 
ASP.NET Boilerplate's authorization system. To define and check permissions, you can see
				<a href="/Pages/Documents/Authorization">authorization document</a>. In this 
document, we will see how to grant permissions for roles and users.</p>
			<p class="translation">
				Module-Zero 实现了 ASP.NET Boilerplate 授权系统的 <strong>IPermissionChecker</strong> 接口。
				要定义和检测权限，你可以参阅<a href="/Pages/Documents/Authorization">授权</a>文档。
				在此文档中，我们将会看到如何为角色及用户授予权限。
			</p>
			<h3>Role Permissions - 角色权限</h3>
			<p>If we <strong>grant</strong> a role for a permission, all users have this 
	role are authorized for the permission (unless explicitly prohibited for a 
	specific user). </p>
			<p class="translation">
				如果我们给一个角色<strong>授予</strong>一个权限，那么拥有这个角色的所有用户都拥有该权限的授权（除非对于一个特定的用户显示禁止）。
			</p>
			<p>We use <strong>RoleManager</strong> to change permissions of a Role. For example,
				<strong>SetGrantedPermissionsAsync</strong> can be used to change all permissions of a role 
	in one method call:</p>
			<p class="translation">
				我们使用 <strong>RoleManager</strong> 来修改一个角色的权限。
				例如，<strong>SetGrantedPermissionsAsync</strong> 可以被用来在一个方法调用中修改一个角色的所有权限：
			</p>
			<pre lang="cs">public class RoleAppService : IRoleAppService
{
    private readonly RoleManager _roleManager;
    private readonly IPermissionManager _permissionManager;

    public RoleAppService(RoleManager roleManager, IPermissionManager permissionManager)
    {
        _roleManager = roleManager;
        _permissionManager = permissionManager;
    }

    public async Task UpdateRolePermissions(UpdateRolePermissionsInput input)
    {
        var role = await _roleManager.GetRoleByIdAsync(input.RoleId);
        var grantedPermissions = _permissionManager
            .GetAllPermissions()
            .Where(p =&gt; input.GrantedPermissionNames.Contains(p.Name))
            .ToList();

        await _roleManager.SetGrantedPermissionsAsync(role, grantedPermissions);
    }
}</pre>
			<p>In this example, we get a <b>RoleId</b>
	and list of granted permission names (input.GrantedPermissionNames is a 
	List&lt;string&gt;) as input. We use <strong>IPermissionManager</strong> to find 
	all <strong>Permission</strong> objects by name. Then we call <strong>
	SetGrantedPermissionsAsync</strong> method to update permissions of the 
	role.</p>
			<p class="translation">
				在这个例子中，我们获得了一个 <b>RoleId</b> 和授予权限的名称列表（input.GrantedPermissionNames 是 List&lt;string&lg; 类型）作为输入。
				我们使用 <strong>IPermissionManager</strong> 根据名称来查看所有的权限对象。
				然后我们调用 <strong>SetGrantedPermissionsAsync</strong> 方法来更新角色的权限。
			</p>
			<p>There are also other methods like GrantPermissionAsync and 
	ProhibitPermissionAsync to control permissions one by one.</p>
			<p class="translation">
				还有其他方法来一个个地控制权限，如 GrantPermissionAsync 和 ProhibitPermissionAsync。
			</p>
			<h3>User Permissions - 用户权限</h3>
			<p>While role-based permission management can be enough for most 
	applications, we may need to control permissions per user. When we define a 
	permission setting for a user, it overrides permission setting comes from 
	roles of the user.</p>
			<p class="translation">
				虽然对于大多说应用来说，基于角色的权限管理可能足够了，但是我们可能需要控制每个用户的权限。
				当我们为一个用户定义一个权限设置时，它就重写了来自该用户所属角色的权限设置。
			</p>
			<p>As an example; Assume that we have an application service to prohibit a 
	permission for a user:</p>
			<p class="translation">
				例如，假设我们有一个应用程序服务，该服务对于某个用户是没有使用权限的：
			</p>
			<pre lang="cs">public class UserAppService : IUserAppService
{
    private readonly UserManager _userManager;
    private readonly IPermissionManager _permissionManager;

    public UserAppService(UserManager userManager, IPermissionManager permissionManager)
    {
        _userManager = userManager;
        _permissionManager = permissionManager;
    }

    public async Task ProhibitPermission(ProhibitPermissionInput input)
    {
        var user = await _userManager.GetUserByIdAsync(input.UserId);
        var permission = _permissionManager.GetPermission(input.PermissionName);

        await _userManager.ProhibitPermissionAsync(user, permission);
    }
}</pre>
			<p>UserManager has many methods to control permissions for users. In this 
	example, we're getting a UserId and PermissionName and using UserManager's
				<strong>ProhibitPermissionAsync</strong> method to prohibit a permission for 
	a user. </p>
			<p class="translation">
				User Manager 有许多控制用户权限的方法。
				在这个例子中，我们获得了 UserId 和 PermissionName，并使用 <strong>ProhibitPermissionAsync</strong> 方法禁止一个用户拥有某个权限。
			</p>
			<p>When we <strong>prohibit</strong> a permission for a user, he/she <strong>
	can not</strong> be authorized for this permission even his/her roles are
				<strong>granted</strong> for the permission. We can say same principle for 
	granting. When we <strong>grant</strong> a permission specifically for a 
	user, this user <strong>is granted</strong> for the permission even roles of 
	the user are not granted for the permission. We can use <strong>
	ResetAllPermissionsAsync</strong> for a user to delete all user-specific 
	permission settings for the user.</p>
			<p class="translation">
				当我们<strong>禁止</strong>某个用户拥有某个权限时，即使他所属的角色授予了该权限，但他还是<strong>不能</strong>获得这个权限的授权。
				我们可用同样的原则说。
				当我们特别给某个用户<strong>授予</strong>权限时，即使该用户所属的角色没有授予权限，那么该用户也得到了该权限的<strong>授权</strong>。
				我们可以使用 <strong>ResetAllPermissionsAsync</strong> 为用户删除所有的用户特定的权限设置。
			</p>

		</div>

	</body>

</html>
